chat
expand_more

When SEGs Fail: Threat Actors Abuse Docusign to Launch Sophisticated Phishing Attacks

Threat actors are exploiting Docusign to bypass traditional email security, but Abnormal Security’s AI-powered platform stops these attacks by detecting behavioral anomalies in real time.
February 6, 2025

At Abnormal Security, we’ve seen a surge in phishing campaigns exploiting Docusign, a trusted platform for electronic signatures. These attacks take advantage of Docusign’s credibility to bypass traditional email defenses, tricking recipients into sharing sensitive information or transferring money.

Despite Docusign issuing a Public Service Announcement (PSA) in late 2024 to warn users, attackers continue refining their techniques—leveraging trusted brands to carry out sophisticated phishing campaigns.

How These Attacks Work

Phishing emails mimicking Docusign notifications exploit brand trust to deceive recipients. Abnormal Security has identified a few recurring tactics used in these attacks.

Docusign1

As you can see from the example above, these tactics include:

  • Low-Context File Sharing Links: Emails often contain Docusign links with vague or no explanation of the document’s purpose.

  • Unusual Senders: Attackers impersonate Docusign using email addresses with no prior interaction with recipients.

  • Suspicious Financial Requests: Many emails request payment adjustments or fund transfers, actions uncommon for the recipient’s role.

  • Reply-To Mismatch: Reply-To domains rarely match Docusign or the sender’s domain.

  • Credential Theft: The email content is often designed to steal sensitive information like login credentials or payment details.

Why Traditional Email Security Fails

Legacy email security solutions, like secure email gateways (SEGs), are not equipped to detect sophisticated phishing attacks that exploit trusted platforms like Docusign. Here’s why:

  • Static Rules and Whitelists: SEGs rely on static rules, keyword matching, and allowlists to filter emails. While this works for broad, easily identifiable attacks, it is ineffective against sophisticated threats that use trusted domains like Docusign to bypass defenses.
  • Lack of Behavioral Analysis: SEGs do not analyze user or organizational behavior to identify anomalies. For instance, they cannot detect when an email is inconsistent with the recipient’s typical interactions or role-specific responsibilities.
  • Insufficient Contextual Awareness: Traditional systems focus on email headers and authentication protocols (e.g., SPF, DKIM, and DMARC). These methods verify the domain but cannot flag misuse of legitimate accounts or platforms.

By relying on outdated approaches, SEGs create a false sense of security, leaving organizations vulnerable to advanced phishing campaigns.

How Abnormal Detects Sophisticated Phishing Attacks

Abnormal’s AI-native platform continuously learns your organization’s unique behavior patterns to detect even the most sophisticated threats. Here’s how we stopped an attack abusing Docusign:

  • Behavioral Anomaly: The sender had no prior interaction with the recipient, a red flag detected by Abnormal’s models.

  • Low-Context Link: The Docusign link was flagged as suspicious, correlating with patterns used in previous phishing campaigns.

  • Unusual Request: The email urged a payment adjustment—an action uncommon for the recipient’s role.

  • Reply-To Mismatch: The Reply-To domain differed from both Docusign and the sender’s domain, further raising suspicion.

Abnormal identified this email as malicious in real-time, removing it from the user’s inbox before it could cause harm. This underscores Abnormal’s ability to detect and neutralize threats—even those leveraging trusted platforms.

Stay Ahead of Evolving Threats with AI-Powered Email Security

As attackers grow more sophisticated, exploiting trusted platforms like Docusign, traditional email security solutions fall behind. Protecting your organization requires a proactive, AI-powered approach capable of understanding user behavior and intent.

Discover how Abnormal Security safeguards your organization from advanced phishing attacks. Schedule a demo today!

When SEGs Fail: Threat Actors Abuse Docusign to Launch Sophisticated Phishing Attacks

See Abnormal in Action

Get the Latest Email Security Insights

Subscribe to our newsletter to receive updates on the latest attacks and new trends in the email threat landscape.

Discover How It All Works

See How Abnormal AI Protects Humans

Related Posts

B DKIM Replay Google Phishing Attack
Threat actors used DKIM replay to send Google-branded phishing emails that passed authentication checks. Here’s how the attack worked and why it’s hard to catch.
Read More
B 1500x1500 MKT834 Abnormal AI Blog
Discover why Abnormal Security is rebranding to Abnormal AI as the company continues its mission to protect humans from cybercrime.
Read More
B Pig Butchering
Learn about pig butchering fraud, a new threat to organizational security. Explore operational tactics, warning signs, and strategies to safeguard your business.
Read More
B Gamma Attack Story Blog
Attackers exploit Gamma in a multi-stage phishing attack using Cloudflare Turnstile and AiTM tactics to evade detection and steal Microsoft credentials.
Read More
B Proofpoint Customer Story 16
With Abnormal’s behavioral AI, a top healthcare solutions provider addressed gaps left by Proofpoint, automated workflows, and saved 335 SOC hours monthly.
Read More
B Phishing Australia
Attackers rely on the trust currency of corporate email to launch highly personalised phishing attacks. Luckily, a revolution in email security means humans are no longer the last line of defence.
Read More